Jeongbeannnn

**Name of the Vulnerable Software and Affected Versions** Budibase versions prior to 3.35.10 **Description** The Plugin URL upload endpoint "POST /api/plugin" contains a flaw in how it validates submitted URLs. It uses a simple substring check to verify if the `url` variable contains ".tar.gz", which can be bypassed by placing that string anywhere in the path, query string, or fragment. This allows the URL to proceed to the `fetchWithBlacklist()` function without proper validation of the host, scheme, or path, leading to Server-Side Request Forgery (SSRF). SSRF is a vulnerability where an attacker can force the server to make requests to an unintended location, such as internal services. This issue can be exploited in two primary scenarios: when the `BLACKLIST IPS` configuration is empty, bypassing the default SSRF blacklist, or when the plugin server follows HTTP redirects from an external URL to an internal target due to the default behavior of `node-fetch` with `redirect: 'follow'`. This could allow access to internal network services, such as AWS/GCP/Azure IMDS for credential theft, CouchDB, or Redis. **Recommendations** Update to version 3.35.10. As a temporary workaround, restrict access to the "POST /api/plugin" endpoint to only trusted users with the Global Builder role.